[Freeipa-devel] access control for cert generation

Rob Crittenden rcritten at redhat.com
Tue Oct 20 21:28:03 UTC 2009 

Dmitri Pal wrote:
> Rob Crittenden wrote:
>> I touched on this a little in IRC, figured I'd move it to the list for
>> a fuller conversation.
>>
>> I'm in the process of adding access controls to machines requesting
>> certificates for themselves.
>>
>> Let me first show what happens when a certificate request occurs:
>>
>> - Some authenticated entity generates a CSR and submits a request.
>> This request consists of a service principal name and the CSR
>> - If the hostname of the CSR matches the hostname of the requestor it
>> is passed to the CA (optionally an entity may be granted to issue
>> certs for any host)
>> - the CA automatically issues a certificate and returns the cert blob
>> - If the service already exists, the cert blob is added to the entry
>> - If not and it was requested, a service record is created for the
>> service principal
>> - Finally the cert text is returned to the client
>>
>> So a couple of things here:
>>
>> - Do we want any machine to be able to generate certificates for
>> itself? Steve was a bit nervous about this.
> 
> I think there is a difference between host cert for the system and
> service cert for the same host.

Not really. What is this host cert going to be used for? The only kind 
of cert we currently issue is for SSL servers, not for identity (e.g. no 
client certs).

> Issuance or tracking of the service certs needs to be initiated by the
> user that has rights to request tracking or creation of a specific
> service cert. 

Ok, that's fine, but it precludes generating an SSL cert in a kickstart 
without providing some sort of credential. I was planning on using the 
host keytab to get the certificate. If that is out then my life becomes 
much, much simpler.

> So without this initial authorization I do not thin the host can do
> anything with the cert for the service running on the host.
> This means that the initial cert tracking issuance request should create
> some kind of the attribute that will be used in the ACI rule to check if
> this cert can then later on be re-requested by the host.
> 
> Does this approach make sense?

We currently have access controls for users to request certs for hosts. 
That should be adequate to cover this.

So it sounds like there is nothing to do here, move along :-)

rob

>> - If not, do we want a group to specify which machines can do
>> requests? Could get cumbersome to manage at some point but otherwise
>> it would be a manual process to say "Steve's laptop can't request certs".
>> - machines will need permission to write service entries. Do we want
>> to grant this access to all machines? I might need some help from the
>> 389 team to write an ACI that lets us control machines only writing
>> service principals for themselves. I'd essentially need to pull out
>> the hostname part of the krbprincipalname and somehow use that to
>> limit write access to host/hostname at REALM. I can do it in code but
>> then someone could do an ldapmodify to add a service and go around our
>> XML-RPC interface (very naughty).
>>
>> rob
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091020/cc5c9fe2/attachment.bin>

More information about the Freeipa-devel mailing list